back to article Starbucks denies mobile app hack, blames careless customers

Starbucks has rebuffed claims that its mobile app has been hacked, in the wake of reports that scores of its US customers have suffered from credit card fraud. The coffee chain’s US customers have been reporting the theft of hundreds of dollars from their credit cards, in a series of scams seemingly linked to auto top-ups on …

  1. yoganmahew

    Surely time for different security....

    So the standard response of security 'experts' - regularly change your passwords (hah, as if I even know what accounts I have) and two-factor authentication (hah, so every time I use a two-bit account I have to wave my dongle at it?).

    Surely the time has come for something different? Don't ask me what, I'm not an expert, but don't expect me to spend hours keeping track of and constantly updating online accounts...

    1. Anonymous Coward
      Go

      Re: Surely time for different security....

      DNA is the answer. You should need to supply a small sample of some body fluid (your choice which kind), which is then checked against a central government database of DNA linked to bank details. If you had your hands full with shopping, then perhaps a shop assistant could, well, assist you in providing the sample.

      Clearly that's the answer. I cant really think of any drawbacks.

      1. tony2heads

        Re: Surely time for different security....

        What about identical twins?

      2. User McUser
        Alert

        Re: Surely time for different security....

        DNA is the answer.

        Oh good Lord no. No no no. Do you know how easy it is to get a DNA sample from someone? We *continually* shed our DNA all over the place; you'd hardly have to even try! Just need a few skin cells or a bit of saliva, and you can use cheap and easy PCR methods to amplify your sample into something more usable.

        Though using the DNA in a strand of hair to gain full administrative access to a computer would give a whole new meaning to "getting root access."

    2. Ian 62

      Re: Surely time for different security....

      Doesn't necessarily need to be a dongle.

      Seeing as we're talking about mobile app, starbucks could always plug the 2FA into the users phone. Which, they've probably got with them if theyre using it for paying in starbucks already.

      ***beepbeep*** It looks like you're try to top up, or moving credits, enter this following onetime code into the starbucks app to confirm you really are you and you really wanted to move your starbucks-money around.

  2. Dabooka
    FAIL

    And this is why the box always must remain unticked....

    'Would you like to save your payment details securely for future purchases?'

    Only a top-rate tit would okay that box. Linked payment details, do me a favour.

    1. Dabooka

      Re: And this is why the box always must remain unticked....

      I wonder if the asshat with the downvote would care to shed some light and enlighten me? I'm curious as to what I'm missing here.....

      1. Velv

        Re: And this is why the box always must remain unticked....

        "I wonder if the asshat with the downvote would care to shed some light and enlighten me? I'm curious as to what I'm missing here....."

        I'm guessing they are either:

        A) a criminal who steals payment details

        B) a top rate tit

      2. WorldsOnlyUserFriendlyAdmin
        Happy

        Re: And this is why the box always must remain unticked....

        I'm not the asshat you were looking for but I did add a 2nd downvote to your comment just now.

        I don't see what's wrong with saving your payment info. As long as you maintain unique passwords per account and you're linked to a credit card, you're covered no matter what happens. The benefit of convenience outweighs the small risk. Pretty damn simple equation that applies to oh, I don't know, just about everything?

    2. TheProf

      Re: And this is why the box always must remain unticked....

      From The Goons:

      Bloodnok:

      Now let us take the regimental oath. Open your wallets and say after me - "Help yourself".

  3. Ragequit
    Devil

    Starbucks could have taken a different tone with that statement. Better to say they're looking into it and offer security best practices than flat out deny anything is happening on their end. Just because they didn't detect it doesn't mean there wasn't a vector they didn't consider...

    @yoganmahew - Two bit dongle? Sir, I'm not sure if you should be waving that around in public.

    1. Trigonoceps occipitalis

      Two bit dongle

      So that's 4 different answers - not very secure is it? Oh wait, 3 wrong attempts and you get locked out, just about perfect then.

  4. M7S

    It is interesting to see lots of IT people mocking users for ticking the linking boxes etc

    when it is IT people (OK, perhaps led by marketing bods, but then "following orders" doesn't absolve us of all blame) who create these options, often making them the default. After all it is our industry selling this digital nirvana where everying can be done with an app/swipe/touch and no need for too much conscious thought.

    I don't expect to be expert in everything, that's why I have to pay people to do things I cannot. Most people will be the same about IT. Perhaps, as an industry, IT should clean up its act and establish good standards, hopefully resulting in more secure/happy users and the rapid identification of "bad eggs" which if fewer in number would be easier for most users to learn about and avoid in the same way as they might avoid au unregulated financial advisor.

    That said, I'm still unclear how sites selling material (CP/pirate movies etc) that is apparently unlawful just about everywhere are still reportedly able to take credit card payments. I expect that's one for the banks to deal with.

    Now, I've just got to see these chaps who've turned up with a wheelbarrow of ashpalt "left over from another job" and are offering to do my driveway for a very small fee.....

    1. Anonymous Coward
      Anonymous Coward

      Re: It is interesting to see lots of IT people mocking users for ticking the linking boxes etc

      You don't need to be some kind of IT expert to work out that effectively handing over your wallet to a retailer just to avoid the inconvenience of fishing a card or cash out of it each time you buy their product, is a bad, bad idea.

    2. icesenshi

      Re: It is interesting to see lots of IT people mocking users for ticking the linking boxes etc

      You're basically saying you pay people to think for you. Then you wonder why things go wrong and who to blame. We already know the answer to at least one of those questions.

    3. Mark 85

      Re: It is interesting to see lots of IT people mocking users for ticking the linking boxes etc

      Your answer is in the first paragraph of your post. Marketing bods with a great idea to boost profits and a board with greed in their eyes. Fact of life.

      It's like the "convenience" of having the "keep me logged in" box. The misuse is someone (probably not the IT guy) saying.. "pre-check this box for our users".

    4. Ken Moorhouse Silver badge

      Re: It is interesting to see lots of IT people mocking users for ticking the linking boxes etc

      I agree with you (M7S)

      If the likes of the bank or credit card company rings me up and asks me to verify who I am - I tell them that I need to verify who they are first. They do not seem to understand, even though they are supposedly a security-conscious organisation, the ramifications of behaviour that is encouraging misplaced trust. The more that people get into the habit of believing that it really is the bank ringing, and it is ok to give details to them, the bigger the problem when it's not. Some have now got a "we give you some info about you, you confirm something back to us." But there's very simple ways that too can be undermined, which only security-conscious people would think through.

      Then there's Contactless Payment and Oyster Cards. That was a jack-in-the-box ready to be sprung on the public. For how many years now will we be hearing "Touch only one card on the Reader..."? I suppose until they abolish the Oyster card. If it were obvious that one does not swipe your wallet with two "active" payment methods in it, then how come we are hearing these announcements?

      The bottom line is that people do not understand technology, and that we as IT Professionals need to always respect that.

  5. Inventor of the Marmite Laser Silver badge

    You could always use - ahem

    Cash

    1. Swarthy
      Alert

      Re: You could always - ahem

      One could try drinking real coffee; instead of over-sweetened milk with a flavor that is almost, but not quite, entirely unlike coffee.

    2. chivo243 Silver badge
      Coat

      Re: You could always use - ahem

      Up Vote for posting the comment I was thinking of while reading the story. But then we are talking about a coffee at Fivebucks, who carries that much cash?

      Surely not in my coat...

  6. Elmer Phud

    Tested?

    In all that bold text from Starbucks not once did they say anything about having the app tested.

    Plenty of blather about 'personal' security and 'we're sure it's youre fault'.

    1. Mark 85

      Re: Tested?

      The testing misdirection is evident in the number of times the word "seriously" was used and it's just not "important" , it's "incredibly important".

    2. wdmot

      Re: Tested?

      Agreed, their app needs to be thoroughly tested, and they should be able to prove that.

      However, it's very unclear how the app relates to this fraud. As far as I can see, from Bob Sullivan's and others' articles on the issue, it's all through their online account at starbucks.com. Miscreants obtain login credentials via phishing emails or a variety of other means, and there's a chance those credentials work on starbucks.com (or many other popular sites!) because many people re-use the same username and password. Not much Starbucks can do for stupid people, although they can educate the ignorant. And that applies to any other site where a similar transaction is possible.

      This (from the article) is complete nonsense:

      Sullivan recommends that all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.

      The most that would do is slow the crook down a few seconds, since if they have access to your account, they can quickly turn that feature on and proceed to auto-charge your credit card. Perhaps what he really means is "Don't store your credit card info in your starbucks.com account so that auto-reload is not available". Then the most the crook can steal is your current Starbuck's card balance.

      Any site where you have your credit card or bank details stored which can pay for anything other than, for example, your monthly electricity bill, must have a strong and unique password. Even if you get your stolen money back, it's still a big hassle. (And in this case, Starbucks should be refunding every single reported fraudulent charge -- they have a record of all the gift cards to which those fraudulent charges were sent, after all, and can invalidate the cards.)

  7. DNTP

    I like my coffee

    like I like my commitment to online security.

    Overpriced and uselessly bloated on extraneous fat and sugar.

  8. stringyfloppy

    "Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions."

    All major retailers, like SONY for example.

  9. craigwb

    Actually, it seems that this started at the beginning of may:

    http://it.toolbox.com/blogs/enterprise-solutions/anatomy-of-a-hack-starbucks-66515

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like